Nonprofit Data Breaches, Security Policies You Can’t Overlook

You’ve seen the headlines. Equifax had 143 million records hacked. Anthem healthcare had 80 million records stolen. Utah Food Bank’s breach might have exposed the financial records of more than 10,000 donors.

Sophisticated, high-profile hacks make the headlines, but for most nonprofits, it’s the small stuff that leads to lost or stolen data. If you’re writing or reviewing acceptable use or data security policies, there are five things you absolutely need to do.

    Password Guidelines: Every year “123456,” “qwerty,” and “password” rank among the most commonly-used passwords. Your organization can’t afford to let such weak passwords be the gateway to important donor or financial data. Specifying a minimum length, special characters, and capitalization are a good start. Many organizations are now using password management software that can generate random passwords and store them in a system that users can access using just one very strong password. Most of these services also allow you to audit passwords and force users to change them when necessary.

  • For people who chronically forget their passwords, like to reuse passwords frequently, or too easily fall into the trap of using simple passwords, password management can be incredibly helpful.
  • Bring Your Own Device (BYOD): Do you let staff members use their personal phones or laptops for work? Be clear about which devices are appropriate, when they should and shouldn’t use these devices, and the minimum security standards you expect for each device. It can also be helpful to install mobile device management software to ensure that sensitive data can be scrubbed from the device if a staffer leaves or is terminated.
  • Hardware and Software Standards: Every nonprofit should have minimum security standards in place that include firewalls, device encryption, malware protection, processes for updating or patching software, and a data backup schedule. Mapping your environment and following the standards you’ve established will give hackers fewer ways into your data.
  • Social Engineering Training: Sometimes low-tech approaches are used get at an organization’s data. For example, someone might call the front desk saying that a report was supposed to be sent and now the meeting’s about to start. Amid the hurry and confusion, a staffer is likely to send off the data without even stopping to think whether the caller should have had access to the data.
  • Other scenarios include someone dropping into the office for a meeting and being allowed to wander the halls or someone asking to use a password because theirs isn’t working. Mapping out these scenarios and providing clear guidelines for what to do can help reduce the risk that well-meaning people will release data to the wrong people.
  • Incident Response and Disaster Recovery: What will you do if data gets lost or stolen? Who will be on the response team and what roles will each person take? How will you investigate the breach and recover the data? Spelling out roles, responsibilities, and procedures will make a chaotic situation more manageable and get you back to regular operations more quickly.